From 83ab63138cfbe7988e3462f66675a3f7261b381f Mon Sep 17 00:00:00 2001 From: Aleksander Morgado Date: Tue, 11 Sep 2012 16:31:14 +0200 Subject: [PATCH] sms: fix double free when parsing PDUs If we get an error when telling the SMS list to take the new PDU, the caller is the one responsible for freeing the part, so avoid doing it twice. Relevant valgrind log: ==7287== Invalid read of size 8 ==7287== at 0x437CE1: mm_sms_part_free (mm-sms-part.c:344) ==7287== by 0x454D11: mm_iface_modem_messaging_take_part (mm-iface-modem-messaging.c:359) ==7287== by 0x461234: cds_received (mm-broadband-modem.c:4626) ==7287== by 0x48A305: parse_unsolicited (mm-at-serial-port.c:256) ==7287== by 0x48723D: parse_response (mm-serial-port.c:731) ==7287== by 0x48759B: data_available (mm-serial-port.c:801) ==7287== by 0x36ADC47694: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3200.4) ==7287== by 0x36ADC479C7: ??? (in /usr/lib64/libglib-2.0.so.0.3200.4) ==7287== by 0x36ADC47DC1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3200.4) ==7287== by 0x421398: main (main.c:150) ==7287== Address 0x9840b78 is 24 bytes inside a block of size 104 free'd ==7287== at 0x4A079AE: free (vg_replace_malloc.c:427) ==7287== by 0x36ADC4D37E: g_free (in /usr/lib64/libglib-2.0.so.0.3200.4) ==7287== by 0x36ADC61CCE: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.3200.4) ==7287== by 0x437D5A: mm_sms_part_free (mm-sms-part.c:351) ==7287== by 0x36ADC449EC: g_list_foreach (in /usr/lib64/libglib-2.0.so.0.3200.4) ==7287== by 0x36ADC44A0A: g_list_free_full (in /usr/lib64/libglib-2.0.so.0.3200.4) ==7287== by 0x43D8A1: finalize (mm-sms.c:1629) ==7287== by 0x36AE8145DA: g_object_unref (in /usr/lib64/libgobject-2.0.so.0.3200.4) ==7287== by 0x43CD52: mm_sms_singlepart_new (mm-sms.c:1376) ==7287== by 0x43E223: take_singlepart (mm-sms-list.c:236) ==7287== by 0x43E60D: mm_sms_list_take_part (mm-sms-list.c:338) ==7287== by 0x454CC7: mm_iface_modem_messaging_take_part (mm-iface-modem-messaging.c:353) --- src/mm-sms.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/mm-sms.c b/src/mm-sms.c index 3912810d..4a647b46 100644 --- a/src/mm-sms.c +++ b/src/mm-sms.c @@ -1372,9 +1372,12 @@ mm_sms_singlepart_new (MMBaseModem *modem, /* Keep the single part in the list */ self->priv->parts = g_list_prepend (self->priv->parts, part); - if (!assemble_sms (self, error)) + if (!assemble_sms (self, error)) { + /* Note: we need to remove the part from the list, as we really didn't + * take it, and therefore the caller is responsible for freeing it. */ + self->priv->parts = g_list_remove (self->priv->parts, part); g_clear_object (&self); - else + } else /* Only export once properly created */ mm_sms_export (self);